One week before the General Data Protection Act (GDPR) came into force on May 25, 2018, the Hungarian office of Schoenherr organized a one-day seminar to highlight some of the key elements of the regulation that companies in the real estate sector should keep in mind.
But what does data privacy have to do with the real estate sector, and why should property owners, administrators, and real estate agencies and their agents be particularly alert to its requirements? According to Tamas Balogh, Attorney at Schoenherr Hungary, the answer is simple: we only have to consider that all of us live, work, and spend most of our lives in buildings, and therefore those in the real estate industry collect and process personal data on a daily basis, as owners, developers, or landlords.
“Landlords must keep an eye on the needs of their clients — on the users of the properties — and for this they have to collect certain data. While they are doing so they have to consider the provisions of the GDPR,” Balogh said at the event. “The same is true of the administrator or facility manager of a building of flats, who gathers information on tenant heating and light-usage habits, or by the agent of a parking lot, who registers every passing car’s plate number,” he explained, adding that under the GDPR every property owner becomes a data controller, managing personal data. Indeed, he points out, those reviewing the data have the means to learn more about the data subjects than might be expected, just by following their consumption habits. “You can guess how rich or poor they are, how much time they spend inside the house, and — why not — even maybe their religion. If around religious holidays, for example, someone cooks or invites family members, that will be shown in the consumption data,” he explains.
During the Schoenherr seminar, speakers from the firm emphasized that the GDPR provides a rather broad definition of “personal data”: it can mean any information relating to a person allowing that person to be identified either directly or indirectly. In a follow-up interview with CEELM, Balogh said that exactly for this reason, because of the ambiguous nature of the Act, the main point of the seminar was to remind real estate investors that they have to be aware that they are collecting personal data and thus that they will face data protection obligations. Players on the real estate market should be aware of the risks if such data is not processed correctly.
“I would say that there are three important legal aspects defined by the GDPR that must be considered in the real estate sector,” Balogh said. “First, when it comes to arrangements with service providers operating a building (e.g., property managers, facility managers, and operators of CCTV cameras), the GDPR defines various essential provisions that must be included in the agreement. It is also advisable to revise existing agreements in this respect. The second important consideration in this sector is that it is not required to obtain consent for processing personal data if it is required for the execution of an agreement and one of the parties is a natural person. A good example for that is a lease agreement with natural person. The third and most important aspect of the GDPR to be considered involves the ‘legitimate interest’ of landlords. This means that landlords have a legitimate interest to protect their buildings — their assets — and in this case, they have a legal basis to operate security systems that record personal data (e.g., they may install a camera in the building) without asking for consent. It is said that this serves the interest of both parties, and ensures that tenants can live in a secure environment.” The Schoenherr attorney explained that in this particular case, at least, the interests must be balanced against each other. “On the first hand there is the interest of the landlord and tenants in securing the building, while on the second hand, there is the residents’ interest in having their personal data protected, and these two are in competition with each other. In this specific situation, however, I would say that the first one should prevail. Nevertheless, it must be noted that under the current regulations recording someone with a CCTV camera requires at least the implicit consent of such person. The latter provision is not yet harmonized with the provisions of GDPR.”
The GDPR takes a wide view of what constitutes personal data and changes the entire process of collecting, processing, and storing personal data, and mishandling its requirements may have a number of consequences. However, although the GDPR has come into force, the relevant Hungarian laws have not yet been harmonized with it, which may cause uncertainty in some cases.
“Although we have a data protection authority — the National Authority for Data Protection and Freedom of Information — we have no legal ground to say that this authority is responsible for supervising and monitoring the application of the GDPR,” Balogh says, pointing out that, as a result, there is no official authority empowered to oversee the GDPR’s application or educate Hungarian companies on how to process data in line with the GDPR and individuals how they can better protect their own personal data. “This is something that needs to be considered, and I think that the supervisory authority’s first job should be the education of data processor companies and the people. What we can do for companies at the moment is check their systems, their IT protection, their consent declarations, but individuals themselves will also have to check and carefully consider the reasons why some of their data is being asked for, and how it will be used in the future.”